Babylonia
Babylonia is a virus that infects .exe files on the Windows 9x series as well as help files. It has similarities to other viruses including Happy99 for its spreading abilities and Demo for its infection of .hlp files. Behavior When a file infected with Babylonia is executed, it will not take control at first, instead patching a JMP or CALL and waiting to be called. It scans the kernel, getting Windows API function addresses and installing itself as a VxD system driver. It uses DESCRIPTOR 0 to store temporary data. The virus allocates some memory then installs a hook in the IFS handler, then waits for access to Portable Executables, Help files and WSOCK32.DLL. Babylonia scans to see if SPIDER.VXD and AVP.VXD (antivirus libraries) are loaded and if so, patches them so they can no longer open files. The virus may still be memory resident when returning control to the host, and if so, it drops and executes its online updating module. When Babylonia infects a portable executable, it appends itself to the last section or it may overwrite the .reloc section. CODE sections will be scanned for a suitable place to place a call to the virus. Help files are infected with a scriptthat passes control to virus code by using the callback features of the USER32 EnumWindows() API. When accessing WSOCK32.DLL, it looks for the send() function and adds code that spreads the virus through email. A virus infected file will be attatched to any email sent by the user. There were to be six possible names for the infected attachment, but due to a bug in the code, it only sends itself out as X-MAS.exe with a Christmas-themed icon. The virus code is compressed with the aPLib v0.22b library. Vecna optimized his old LZW compression scheme to enhance performance in speed and size, using the same algorithm as in the Fabi virus. It will have serious problems infecting anything aside from a Windows 9x system, as it has VxD calls specific to the Windows 9x series. Windows NT and later versions of Windows can't be infected. Babylonia uses a module dropped in the initial infection stage to receive updates from the Internet. This module will be located in the Windows System directory under the name KERNEL32.EXE. It adds this file to the local machine run key in the registry to ensure it runs when the system starts. It also hides itself in the CTRL+ALT+DEL task list, staying in the background and waiting for the user to connect to the Internet. When the user connects to the Internet, it connects to Vecna's own page to download plug-ins for the virus. The module exits once all the plug-ins are downloaded. The plugins have a special format, containing a header ID stamp 'VMOD', then version stamp, and address of 'main' routine in the file. These 'main' routines in files are Win32 programs, the virus locates them and passes control to their code. Category:Virus Category:Win9x Category:Win9x virus Category:Microsoft Windows Category:Assembly Category:29A